EJB 3.1 Cookbook

Build real world EJB solutions with a collection of simple but incredibly effective recipes with this book and eBook       

The recipes in this article are based largely around a conference registration application as developed in the first recipe of the previous article on Introduction to Interceptors. It will be necessary to create this application before the other recipes in this article can be demonstrated.

Using interceptors to enforce security

While security is an important aspect of many applications, the use of programmatic security can clutter up business logic. The use of declarative annotations has come a long way in making security easier to use and less intrusive. However, there are still times when programmatic security is necessary. When it is, then the use of interceptors can help remove the security code from the business logic.

Getting ready

The process for using an interceptor to enforce security involves:

1. Configuring and enabling security for the application server
2. Adding a @DeclareRoles to the target class and the interceptor class
3. Creating a security interceptor

How to do it...

Configure the application to handle security as detailed in Configuring the server to handle security recipe. Add the @DeclareRoles("employee") to the RegistrationManager class.

Add a SecurityInterceptor class to the packt package. Inject a SessionContext object into the class. We will use this object to perform programmatic security. Also use the @DeclareRoles annotation.

Next, add an interceptor method, verifyAccess, to the class. Use the SessionContext object and its isCallerInRole method to determine if the user is in the "employee" role. If so, invoke the proceed method and display a message to that effect. Otherwise, throw an EJBAccessException.

@DeclareRoles("employee")
public class SecurityInterceptor {

@Resource
private SessionContext sessionContext;

@AroundInvoke
public Object verifyAccess(InvocationContext context) throws
Exception {
System.out.println("SecurityInterceptor: Invoking method: " +
context.getMethod().getName());
if (sessionContext.isCallerInRole("employee")) {
Object result = context.proceed();
System.out.println("SecurityInterceptor: Returned from method: "
+ context.getMethod().getName());
return result;
} else {
throw new EJBAccessException();
}
}
}

Execute the application. The user should be prompted for a username and password as shown in the following screenshot. Provide a user in the employee role.

The application should execute to completion.

Depending on the interceptors in place, you will console output similar to the following:

INFO: Default Interceptor: Invoking method: register

INFO: SimpleInterceptor entered: register

INFO: SecurityInterceptor: Invoking method: register

INFO: InternalMethod: Invoking method: register

INFO: register

INFO: Default Interceptor: Invoking method: create

INFO: Default Interceptor: Returned from method: create

INFO: InternalMethod: Returned from method: register

INFO: SecurityInterceptor: Returned from method: register

INFO: SimpleInterceptor exited: register

INFO: Default Interceptor: Returned from method: register

How it works...

The @DeclareRoles annotation was used to specify that users in the employee role are associated with the class. The isCallerInRole method checked to see if the current user is in the employee role. When the target method is called, if the user is authorized then the InterceptorContext's proceed method is executed. If the user is not authorized, then the target method is not invoked and an exception is thrown.

See also

• EJB 3.1: Controlling Security Programmatically Using JAAS